IPSec mobile clients not working anymore

boujid

hello
i've been using for years a pfsense firewall in an old Pentium PC without any problem. the firewall was running on an i386 architecture with the 2.1 version of pfsense.
the firewall was used for IPSec mobile clients

now, i've done the same configuration manually on a server with amd64 architecture with the 2.2.4 version of pfsense.

the results : IPSec clients don't work anymore

the PC configuration (i386, 2.1):

VPN: IPSec: Tunnels
Enable IPSec (enabled)

VPN: IPSec: Mobile:
IKE Extensions –- Enable IPsec Mobile Client Support (enabled)
User Authentication --- Local Databse (enabled)
Group Authentication --- source:none
Client Configuration (mode-cfg) not used, all options disabled

VPN: IPsec: Keys
Identifier : XXXXXXX
Pre-Shared Key : YYYYYYY

VPN: IPSec: Tunnels

General Information
Disable --- Disable this phase1 entry (disabled)
internal protocol --- IPv4
Interface --- WAN
Description ---

Phase 1 proposal (Authentication)
Authentication method --- Mutual PSK
Negotiation mode --- aggressive
My identifier --- My IP address
Policy Generation --- Unique
Proposal Checking --- Default
Encryption algorithm --- 3DES
Hash algorithm --- SHA1
DH key group --- 2 (1024 bit)
Lifetime --- 3600 seconds

Advanced Options
NAT Traversal --- Force
Dead Peer Detection --- Enable DPD (enabled)
10 seconds
5 retries

Disabled --- Disable this phase2 entry (disabled)
Mode --- Tunnel IPv4
Local Network
Type: Address
Address: A.B.C.D/32

In case you need NAT/BINAT ...
Type: None
Address: ---
Description ---

Phase 2 proposal (SA/Key Exchange)
Protocol --- ESP

Encryption algorithms --- 3DES
Hash algorithms --- SHA1
PFS key group --- 2 (1024 bit)

Lifetime --- 3600seconds

Advanced Options
Automatically ping host ---

the Server configuration (amd64, 2.2.4):

VPN: IPSec: Tunnels
Enable IPSec (enabled)

VPN: IPSec: Mobile:
IKE Extensions –- Enable IPsec Mobile Client Support (enabled)
User Authentication --- Local Databse (enabled)
Group Authentication --- source:none
Client Configuration (mode-cfg) not used, all options disabled

VPN: IPsec: Keys
Identifier : XXXXXXX
Type : PSK
Pre-Shared Key : YYYYYYY

IPsec Advanced Settings
nothing modified, the default options are still configured
Unique IDs : Configure Unique IDs as: YES
Auto-exclude LAN address --- Enable bypass for LAN interface IP (enabled)

VPN: IPSec: Tunnels

General Information
Disable --- Disable this phase1 entry (disabled)
Key Exchange version --- v1
internal protocol --- IPv4
Interface --- WAN
Description ---

Phase 1 proposal (Authentication)
Authentication method --- Mutual PSK
Negotiation mode --- aggressive
My identifier --- My IP address

Phase 1 proposal (Algorithms)
Encryption algorithm --- 3DES
Hash algorithm --- SHA1
DH key group --- 2 (1024 bit)
Lifetime --- 3600 seconds

Advanced Options
Disable Rekey --- (enabled)
Responder Only --- (enabled)
NAT Traversal --- Force
Dead Peer Detection --- Enable DPD (enabled)
10 seconds
5 retries

Disabled --- Disable this phase2 entry (disabled)
Mode --- Tunnel IPv4
Local Network
Type: Address
Address: A.B.C.D/32

In case you need NAT/BINAT ...
Type: None
Address: ---
Description ---

Phase 2 proposal (SA/Key Exchange)
Protocol --- ESP

Encryption algorithms --- 3DES
Hash algorithms --- SHA1
PFS key group --- 2 (1024 bit)

Lifetime --- 3600seconds

Advanced Options
Automatically ping host ---

VPN Client used :
Shrew Soft VPN client
The Greenbow client

the VPN was working well with the PC for both clients
for the version 2.1 of pfsense, the IPSec status was displaying SAD and SPD once connected

for the server (amd64, 2.2.4):
Shrewsoft client display (tunnel enabled) but there is no security associations in its VPN trace utility (one line : WAN IP –> Client IP, blink then disappear)

in PfSense Status: IPsec: :

Overview
Line 1 :
Description : –-
Local ID : WAN IP
Local IP : WAN IP Port: 4500 NAT-T
Remote ID : Unknown
Remote IP : Client IP Port: 4500 NAT-T
Role : IKEv1 responder
Reauth : ---
Algo : 3DES_CBC:0 HMAC_SHA1_96:0 PRF_HMAC_SHA1 MODP_1024
Status : established 21 seconds ago

Line 2 :
Description : ---
Local ID : WAN IP
Local IP : WAN IP
Remote ID : Unknown
Remote IP : Unknown
Role : ---
Reauth : ---
Algo : ---
Status : Awaiting connections

Leases --- empty
SAD --- empty
SPD --- empty

for the greenbow client, tunnel doesnt connect, i am getting :

wrong remote address
send phase 2 ID

in the console :
INVALID ID_INFORMATION_error
then after some lines
INVALID_HASH_INFORMATION error

–-----------------------------------------------

i really need help, as you can see, nothing changed in clients side
what changed is replacing an i386, ver 2.1 by an amd64, 2.2.4, then the VPN ceased working

Thanks a lot

boujid

Hi
i've been trying different combinations in vain
in shrewsoft client, the tunnel is up without SAD and SPD, so no traffic is passing

the only difference between versions in the configuration is :
Policy Generation AND Proposal Checking, they were present in ver 2.1, and absent in the ver 2.2.4

Please, can someone tell me where to find this parameters in the new ver 2.2.4 ?

the IPSec log :

Sep 26 13:12:10 charon: 11[ENC] <22> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V ]
Sep 26 13:12:10 charon: 11[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received NAT-T (RFC 3947) vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received NAT-T (RFC 3947) vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received FRAGMENTATION vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received FRAGMENTATION vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received DPD vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received DPD vendor ID
Sep 26 13:12:10 charon: 11[ENC] <22> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Sep 26 13:12:10 charon: 11[ENC] <22> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Sep 26 13:12:10 charon: 11[ENC] <22> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Sep 26 13:12:10 charon: 11[IKE] <22> received Cisco Unity vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> received Cisco Unity vendor ID
Sep 26 13:12:10 charon: 11[IKE] <22> Client IP is initiating a Aggressive Mode IKE_SA
Sep 26 13:12:10 charon: 11[IKE] <22> Client IP is initiating a Aggressive Mode IKE_SA
Sep 26 13:12:10 charon: 11[CFG] <22> looking for pre-shared key peer configs matching PfSense WAN IP…Client IP[ClientIdentifier]
Sep 26 13:12:10 charon: 11[CFG] <22> selected peer config "con1"
Sep 26 13:12:10 charon: 11[ENC] <con1|22>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Sep 26 13:12:10 charon: 11[NET] <con1|22>sending packet: from PfSense WAN IP[500] to Client IP[500] (428 bytes)
Sep 26 13:12:10 charon: 11[NET] <con1|22>received packet: from Client IP[4500] to PfSense WAN IP[4500] (100 bytes)
Sep 26 13:12:10 charon: 11[ENC] <con1|22>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Sep 26 13:12:10 charon: 11[IKE] <con1|22>IKE_SA con1[22] established between PfSense WAN IP[PfSense WAN IP]…Client IP[ClientIdentifier]
Sep 26 13:12:10 charon: 11[IKE] <con1|22>IKE_SA con1[22] established between PfSense WAN IP[PfSense WAN IP]…Client IP[ClientIdentifier]
Sep 26 13:12:10 charon: 11[IKE] <con1|22>faking NAT situation to enforce UDP encapsulation
Sep 26 13:12:10 charon: 11[IKE] <con1|22>faking NAT situation to enforce UDP encapsulation
Sep 26 13:12:10 charon: 12[NET] <con1|22>received packet: from Client IP[4500] to PfSense WAN IP[4500] (84 bytes)
Sep 26 13:12:10 charon: 12[ENC] <con1|22>parsed INFORMATIONAL_V1 request 861609525 [ HASH N(INITIAL_CONTACT) ]
Sep 26 13:12:10 charon: 12[NET] <con1|22>received packet: from Client IP[4500] to PfSense WAN IP[4500] (292 bytes)
Sep 26 13:12:10 charon: 12[ENC] <con1|22>parsed QUICK_MODE request 783265714 [ HASH SA No KE ID ID ]
Sep 26 13:12:10 charon: 12[IKE] <con1|22>no matching CHILD_SA config found
Sep 26 13:12:10 charon: 12[IKE] <con1|22>no matching CHILD_SA config found
Sep 26 13:12:10 charon: 12[ENC] <con1|22>generating INFORMATIONAL_V1 request 221095047 [ HASH N(INVAL_ID) ]
Sep 26 13:12:10 charon: 12[NET] <con1|22>sending packet: from PfSense WAN IP[4500] to Client IP[4500] (76 bytes)
Sep 26 13:12:15 charon: 10[NET] <con1|22>received packet: from Client IP[4500] to PfSense WAN IP[4500] (292 bytes)
Sep 26 13:12:15 charon: 10[IKE] <con1|22>received retransmit of request with ID 783265714, but no response to retransmit
Sep 26 13:12:15 charon: 10[IKE] <con1|22>received retransmit of request with ID 783265714, but no response to retransmit
Sep 26 13:12:16 charon: 10[NET] <con1|22>received packet: from Client IP[4500] to PfSense WAN IP[4500] (84 bytes)
Sep 26 13:12:16 charon: 10[ENC] <con1|22>parsed INFORMATIONAL_V1 request 897368151 [ HASH D ]
Sep 26 13:12:16 charon: 10[IKE] <con1|22>received DELETE for IKE_SA con1[22]
Sep 26 13:12:16 charon: 10[IKE] <con1|22>received DELETE for IKE_SA con1[22]
Sep 26 13:12:16 charon: 10[IKE] <con1|22>deleting IKE_SA con1[22] between PfSense WAN IP[PfSense WAN IP]…Client IP[ClientIdentifier]
Sep 26 13:12:16 charon: 10[IKE] <con1|22>deleting IKE_SA con1[22] between PfSense WAN IP[PfSense WAN IP]…Client IP[ClientIdentifier]</con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22></con1|22>

Thanks

apu2015

Hi

Did you ever solve your problem ??

I've got the same issue with pfsense 2.2.4 and the latest release of The Greenbow VPN…

As you say pfsense with 2.1 works, and has worked flawless for may years

Id appreciate any advise

Thank you

apu2015

Hi

Maybe take a look at my post

https://forum.pfsense.org/index.php?topic=104680.0

This my be related to your problem with Shewsoft

Thanks